Solved

Onion Links detected -Identifying suspicious files

7 months ago
September 12, 2024
8 comments
2030 views

lorenzo55
New Here
3 comments

We have enabled malware scanning, and We got a warning that some of the servers has some potential malware detection.Specifically "Onion Links". I enabled inline entropy

I took a look a the full logs of the scan on mount server C:\ProgramData\Veeam\Backup\Malware_Detection_Logs , and only the logs for windows machine appear here, however, as confirmed by Veaam's support, scanning backups for Linux machines are not supported at this time. So Linux VM logs are missing. When you click the malware detection event, there's nothing nor paths in the details.

I equally checked c:\VBRCatalog\Index\Machines\Affected-Linux-VM\ransonwareidx , but i still cannot identify what files or path-to-Files.

How can i scan our Linux machines to determine the paths to the files of the Onion links malware detected? I would like to identify what files are being flagged as malware so i can "mark clean" if need be.

Any help regarding this please and thank you

Best answer by coolsport00

@lorenzo55 - there were some ‘tweaks’ to the Malware Scan engines to not be so….”noisy”...or trigger so many false positives. From that standpoint alone, as well as vulnerabilities Veeam recently found, updating is highly recommended.

Veeam updates its SuspiciousFiles.xml file each day, which it uses for the scans, so is fairly up to date.

https://www.veeam.com/kb4514

No other configurations I’m aware of regarding that threat.

View original

Did this topic help you find an answer to your question?

+20

coolsport00
Veeam Legend
4170 comments
7 months ago
September 12, 2024

Hi @lorenzo55 -

Welcome to the Community. If you enabled Inline Entropy scanning, the Malware_Detection_Logs folder is not for that scan engine, if your “event” is for an Inline Entropy event. That folder is used for File Systems Analysis engine only. I discuss this and several things in a post I did below. This should also be able to help you for scanning your Linux system for Onion links files:

Veeam Malware Detection – A Forensics & Analysis 'How-To' Guide

Let me know if you have further questions.

Best.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

lorenzo55
Author
New Here
3 comments
6 months ago
September 27, 2024

coolsport00 wrote:

Hi @lorenzo55 -

Veeam Malware Detection – A Forensics & Analysis 'How-To' Guide

Let me know if you have further questions.

Best.

Thank you for your response.

I have a follow-up question. We have upgraded to VBR 12.2 release. We have recently become aware of a new threat called the Mallox ransomware which now also targets Linux systems.

Given the critical nature of our data and the potential impacts of this ransomware:

How effective is the latest Veeam update (12.2) in detecting and mitigating the Mallox ransomware on Linux servers?
Are there any specification changes Veeam recommends to enhance our protection against this particular threat?

https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-variant-based-on-leaked-kryptina-code/

https://linuxexpress.medium.com/mallox-ransomware-the-rise-of-a-persistent-threat-in-linux-systems-c0033d2a868b

Thanks once again

+20

coolsport00
Veeam Legend
4170 comments
Answer
6 months ago
September 27, 2024

Veeam updates its SuspiciousFiles.xml file each day, which it uses for the scans, so is fairly up to date.

https://www.veeam.com/kb4514

No other configurations I’m aware of regarding that threat.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

lorenzo55
Author
New Here
3 comments
6 months ago
October 1, 2024

coolsport00 wrote:

Veeam updates its SuspiciousFiles.xml file each day, which it uses for the scans, so is fairly up to date.

https://www.veeam.com/kb4514

No other configurations I’m aware of regarding that threat.

Again, thank you for your response. Indeed you are a legend :)

lorenzo55
Author
New Here
3 comments
6 months ago
October 1, 2024

@coolsport00

+20

coolsport00
Veeam Legend
4170 comments
6 months ago
October 1, 2024

No problem @lorenzo55 , glad I could help. 😊

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

+20

coolsport00
Veeam Legend
4170 comments
6 months ago
October 1, 2024

If any of my comments helped you out, don't forget to mark one as 'Best Answer' so others with a similar question who come across this post can benefit.

Thanks.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

+20

coolsport00
Veeam Legend
4170 comments
6 months ago
October 3, 2024

Hi @Madi.Cristil @safiya - for the most appropriate answer selection for this post, I believe the selected ‘Best Answer’ should be my comment the author/poster “quoted”. Could you please deselect what he selected and mark my comment he used as Best Answer?

Thank you.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

Comment

Related topics

PowerShell Tips for Veeam

Power Automate, Linux Hardened Repository, PowerShell and Performance Tests

PowerShell Tips - Part 2 - Moving VB365 Data Between Repositories

Breaking the Consolidation / Merge Stalemate – For VMware vSphere & Microsoft Hyper-V

Veeam Reporting for Nutanix AHVicon

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded